<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18852"></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=589021708-12112009>allowguest=yes as default is IMO a breach of
AST-2008-003 which states</SPAN></FONT></DIV>
<DIV dir=ltr align=left><SPAN class=589021708-12112009><FONT color=#0000ff
size=2 face=Arial>"</FONT><FONT color=#0000ff size=2 face=Arial>A fix has been
added which checks for the option 'allowguest' to be enabled </FONT><FONT
face=Arial><FONT color=#0000ff><FONT size=2>before determining that
authentication is not required<SPAN
class=589021708-12112009>"</SPAN></FONT></FONT></FONT></DIV></SPAN>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=589021708-12112009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=589021708-12112009>please refer.</SPAN></FONT><FONT color=#0000ff size=2
face=Arial><A
href="http://downloads.asterisk.org/pub/security/AST-2008-003.pdf">http://downloads.asterisk.org/pub/security/AST-2008-003.pdf</A></FONT></DIV><FONT
color=#0000ff size=2 face=Arial></FONT>
<DIV><BR><SPAN class=589021708-12112009><FONT color=#0000ff size=2
face=Arial>Sorry I missed that on my original posting.</FONT></SPAN></DIV>
<DIV><SPAN class=589021708-12112009><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=589021708-12112009><FONT color=#0000ff size=2 face=Arial>Alec
Davis</FONT></SPAN></DIV>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> asterisk-dev-bounces@lists.digium.com
[mailto:asterisk-dev-bounces@lists.digium.com] <B>On Behalf Of </B>Alec
Davis<BR><B>Sent:</B> Thursday, 12 November 2009 8:34 p.m.<BR><B>To:</B>
asterisk-dev@lists.digium.com<BR><B>Subject:</B> [asterisk-dev] Security Request
for discussion: Should sip.conf allowguest=yes be the
default<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>At Tilghman's
request.</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>We need to agree to
change the sip.conf default from allowguest=yes to
allowguest=no</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>and extensions.conf
to have a warning in the [default] section that sip.conf may have allowguest=yes
or nothing which will default of yes.</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009></SPAN><SPAN
class=801181907-12112009></SPAN><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial>Reference mantis bugs;</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><A
href="https://issues.asterisk.org/view.php?id=15101"><FONT size=2
face=Arial>https://issues.asterisk.org/view.php?id=15101</FONT></A><FONT size=2
face=Arial> SIP allowguest defaults to yes with 'make samples'
</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><A
href="https://issues.asterisk.org/view.php?id=16226"><FONT size=2
face=Arial>https://issues.asterisk.org/view.php?id=16226</FONT></A><FONT size=2
face=Arial> 1.4.26.3 security issue - Chinese IPs somehow are making calls
without authentication </FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>There are many
installations out there where newbies are playing in the [default] context
in their dialplan, getting things working, then opening port 5060 in their
firewall without understanding what they've just done.</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>Initially
I thought it was great that we allow any SIP phone to connect to
asterisk, with no configuration required at the astrisk end, how wrong I
was. </FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>Alec
Davis</FONT></SPAN></DIV></BODY></HTML>